On 31/03/18 22:39, John Hardin wrote:
On Sat, 31 Mar 2018, Sebastian Arcus wrote:
I have a really simple rule looking for custom text string contained
in spam urls in the body of the email, like so:
body SHORT_BITCOIN_DATING /specific_string_here/i
score SHORT_BITCOIN_DATING 3.0
describe SHORT_BITCOIN_DATING Body URL signature of spam
I just realised that it is only working if the URL exists in both the
text and html versions. If the text version doesn't have the url, it
isn't working. Do "body" rules only work on the html part of the
message? I've tried searching through the documentation, but I can't
see that being the case. Maybe there is something else having an
effect here?
"body" includes the *rendered* part of HTML. If the URL only appears
within <a href="..."> in the HTML part then "body" will not see it.
If you are looking for URLs, you should probably be using a "uri" rule.
There are heuristics to pull those out of the body text, as well out of
HTML tags.
Thank you for the suggestions - much appreciated. As my original rule
worked initially, I didn't realise the subtle difference between using
BODY and URI rules. It is working fine now. Thank you again!
